Jinjie Ruan

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.12.0-rc4+ **Description** A Use-After-Free (UAF) bug has been fixed in the Linux kernel's KUnit string stream function. The issue occurs when `alloc string stream()` fails in the `kunit suite for each test case()` loop, causing the `suite->log` stream memory to be freed but not set to NULL. This leads to a UAF bug when `string stream clear()` is called later. The error path only frees the `suite->log` stream memory but not sets it to NULL, resulting in a UAF bug. Technical details about exploitation include: - The `string stream clear()` function is vulnerable. - The `alloc string stream()` function fails in the `kunit suite for each test case()` loop. - The `suite->log` stream memory is freed but not set to NULL. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the UAF bug. As a temporary workaround, consider disabling the `string stream clear()` function until a patch is available. Restrict access to the vulnerable `kunit debugfs create suite()` function to minimize the risk of exploitation. Avoid using the `suite->log` stream in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A possible null pointer dereference issue has been resolved in the Linux kernel. The issue occurs in the cpufreq component, specifically in the CPPC (Collaborative Processor Performance Control) functionality. The `cpufreq cpu get raw()` function may return NULL if the CPU is not in the policy->cpus CPU mask, leading to a null pointer dereference when calling `cppc get cpu cost()`. To address this, a NULL check has been added for `cppc get cpu cost()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a possible null pointer dereference in the `cpufreq cpu get raw()` function. This function may return `NULL` if the CPU is not in the `policy->cpus` CPU mask, leading to a null pointer dereference. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A memory leak issue has been identified in the Linux kernel, specifically in the `vcap api encode rule test()` function. The issue was introduced after a fix for a use-after-free error was applied, which removed a necessary call to `vcap free rule()`. This has resulted in memory leaks, as evidenced by the presence of unreferenced objects. The issue is related to the `vcap rule add key()` and `vcap rule add action()` functions. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue arises from the `static call del module()` function, which fails to handle module initialization failures correctly. When a module is inserted, `static call add module()` is invoked to initialize static calls. If an allocation failure occurs during this process, `static call del module()` is called to clean up. However, this function blindly assumes that `key::mods` points to a valid `struct static call mod`, leading to a #GP error when it's actually a pointer to built-in usage sites. The problem stems from the `key::mods` being part of a union, where the type of the pointer is differentiated by bit 0. To fix this, it's necessary to check whether the key has a `sites` or a `mods` pointer. If it's a `sites` pointer, the key should not be touched, and the site walk can be terminated. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider disabling the `static call del module()` function until a patch is available. Restrict access to the vulnerable `static call add module()` function to minimize the risk of exploitation. Avoid using the `key::mods` pointer in the affected `static call del module()` function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A memory leak issue has been identified in the Linux kernel, specifically in the `damon sysfs test add targets()` function. The `sysfs target->regions` allocated in `damon sysfs regions alloc()` is not freed, causing a memory leak. This issue has been resolved by freeing the allocated memory. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns memory leaks in the Linux kernel, specifically in the `iio gts build avail scale table()` function. If `per time scales[i]` or `per time gains[i]` `kcalloc` fails in the for loop, the `err free out` will fail to call `kfree()` each time when `i` is reduced to 0, resulting in memory leaks. The fix involves checking if `i >= 0`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: A memory leak issue has been identified in the Linux kernel, specifically in the iio gts build avail scale table() function. This issue occurs when the per time gains[i] is not freed, which is allocated in the "gts->num itime" for loop. The memory leak is triggered by modprobe iio-test-gts and rmmod, resulting in unreferenced objects. The issue includes multiple instances of "size 64" and "size 16" memory leaks, corresponding to specific function calls. Recommendations: To resolve the issue, update to Linux kernel version 6.6.61 or later. As a temporary workaround, consider disabling the iio-test-gts module until a patch is available. Restrict access to the vulnerable iio gts build avail scale table() function to minimize the risk of exploitation. Avoid using the per time gains[i] variable in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.58 **Description** A potential null-ptr-deref issue has been resolved in the Linux kernel's driver core. The issue occurs when `kasprintf()` fails in `module add driver()`, causing a null pointer dereference in `kernfs name hash()` due to `strlen()` being called with a NULL `driver name`. This can lead to a kernel panic. The issue is fixed by releasing resources based on the exit path sequence. **Recommendations** To resolve this issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the `module add driver()` function until a patch is available. Restrict access to the vulnerable `of fpga region` module to minimize the risk of exploitation. Avoid using the `driver name` parameter in the affected `sysfs remove link()` API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0-rc2+ **Description** The vulnerability is related to a user-memory-access bug in the `uclogic params ugee v2 init event hooks()` function. When `CONFIG HID UCLOGIC=y` and `CONFIG KUNIT ALL TESTS=y`, the bug occurs, causing a general protection fault. The issue arises when `hid test uclogic params cleanup event hooks()` calls `uclogic params ugee v2 init event hooks()` with a null argument, leading to a null pointer dereference in `uclogic params ugee v2 has battery()`. The vulnerability can be exploited to cause a denial of service. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the `uclogic params ugee v2 init event hooks()` function. Specifically, update to a version later than 6.6.0-rc2+. As a temporary workaround, consider disabling the `uclogic params ugee v2 init event hooks()` function until a patch is available. However, this may have unintended consequences and should be approached with caution. Note: The provided information does not specify the exact version that includes the fix, so it is recommended to update to the latest available version of the Linux kernel.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The vulnerability is related to a memory leak in the Linux kernel, specifically in the `damon do test apply three regions()` function. This issue can be detected when `CONFIG DAMON VADDR KUNIT TEST=y` and `CONFIG DEBUG KMEMLEAK=y` and `CONFIG DEBUG KMEMLEAK AUTO SCAN=y`. The memory leak occurs because the `damon destroy ctx()` function is removed, but the `damon new target()` and `damon new region()` functions are still called, resulting in unreleased memory allocations. The vulnerability can be exploited to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.0-rc2+ **Description** The issue is related to a null-ptr-deref bug in the `mdev unregister parent()` function. When probing `mdpy.ko`, if `kstrdup()` of `create dir()` fails, it will return 0 and probe successfully. However, when `rmmod mdpy.ko` is called, `mdpy dev exit()` will call `mdev unregister parent()`, which may cause a null-ptr-deref when traversing uninitialized `parent->types[i]` in `parent remove sysfs files()`. This can lead to a general protection fault. To fix the issue, the code should return the error code and call `kset unregister()` when `mdev type add()` fails. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the null-ptr-deref bug in `mdev unregister parent()`. As a temporary workaround, consider disabling the `mdev unregister parent()` function until a patch is available.